Vladimir--you should thank Nickolay because he pointed me to that solution some time in the past.
Nickolay--does evalInSandbox() scope the created objects non-globally? Does it ignore CC and CI calls? I've heard your comment before, I'm just curious what makes it safer than eval(). (I'm not questioning you, I'm only trying to learn why it's safer)
----- Original Message ----
From: Nickolay Ponomarev <asqueella at gmail.com>
To: Mozdev Project Owners List <project_owners at mozdev.org>
Sent: Saturday, July 15, 2006 7:54:56 AM
Subject: Re: [Project_owners] Storing configuration
On 7/15/06, Vladimír Marek <vlmarek at volny.cz> wrote:
> Hi Eric,
>> > You can use Object.toSource() to serialize the source to a string. To
> > read the string back into objects, use eval(string);
>> That's excellent, exactly what I was looking for ! :)
>Not that it matters much in the case of reading from the preferences,
but evalInSandbox is safer/better generally, because a simple eval()
executes the code with the chrome privileges, so if the attacker can
make you eval() his string, he gains full control over the system.
Nickolay
_______________________________________________
Project_owners mailing list
Project_owners at mozdev.orghttp://mozdev.org/mailman/listinfo/project_owners
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mozdev.org/pipermail/project_owners/attachments/20060715/e29a7be2/attachment.htm